One of the heaviest-hit industries by the coronavirus pandemic is retail. Stay-at-home orders and gradual reopening plans have caused many retailers to file for bankruptcy. These struggling organizations now rely mostly on eCommerce and mobile commerce revenues to stay in business. Unfortunately, new research from Guardsquare shows that all of the mobile apps from retailers that filed for bankruptcy lack basic security protections.
The failure to protect these applications leaves them more vulnerable to malicious actors. Mobile app security attacks could potentially result in a loss of competitive advantages or sensitive customer data. In this post, we’ll walk through the categories of mobile app threats Guardsquare analyzed for its report, as well as key outcomes and recommendations.
Guardsquare analyzed more than 50 of the top Android retail mobile apps for the 2020 Retail App Analysis Report. Of the apps analyzed, 14% were from companies that filed for bankruptcy. Internal security evaluators looked at two techniques used to execute mobile threats. These commonly originate from tools used by malicious actors:
Within these two categories, Guardsquare evaluators checked for seven different types of code hardening and runtime application self protection (RASP) protections. Code hardening defends against static analysis, while RASP defends against dynamic analysis and runtime attacks.
Unfortunately, the mobile app security outlook for retailers in bankruptcy was worse than the sample size overall.
These results should be startling for consumers and retailers alike. Shoppers in 2020 haven’t had the option to purchase in-store, so two-thirds of them have ramped up online and mobile shopping even more. Without adequate protection, retail mobile apps could be tampered with or even copied and turned into “fake apps.” Fake retail apps are especially risky because they can capture sensitive personally identifiable information (PII) from shoppers, such as names, credit card numbers, addresses, and more.
The more likely and costly scenario for retailers are competitive threats. Retailers in bankruptcy can’t afford to lose market share to competitors via mobile apps and other online channels. A lack of code hardening techniques could expose a variety of developer-sensitive data to competitors or other bad actors. This information could possibly be used to execute business or technical denial of service attacks, making the mobile app difficult for customers to use. Beyond denial of service, the competitor could also scrape product catalog and/or pricing data from the app to create an unauthorized third-party aggregator store, weakening the brand and leading to a loss in revenue. These are just two of the many potential attack scenarios.
All mobile apps—whether for shopping, mobile banking, gaming, or otherwise—need to be developed securely by design. Retail apps, in particular, handle sensitive customer data, and are high-value targets for competitive threats. As a result, mobile app developers should follow a secure software development lifecycle process when building and updating their applications.
In general, mobile apps require a layered approach to security. Developers should use code hardening to protect code at rest and RASP to protect apps in use. They should also employ real-time mobile threat intelligence tools to understand when malicious actors go after apps and stop them as quickly as possible through blocking or vulnerability management strategies. Many industry standard best practices are well-known and relatively easy to implement.